The main branch Nginx 1.27.4 has been formed, focusing on the development of new features and capabilities, while also addressing issues in the supported stable branch Nginx 1.26.3 that deal with critical errors and vulnerabilities. One of the recent updates aims to fix a vulnerability (CVE-2025-23419) that allows bypassing the check of client TLS certificates.
This vulnerability occurs due to the lack of proper checks when processing virtual hosts linked to the same IP address and port number, configured for HTTPS via the SNI TLS extension. In these setups, an attacker could exploit the TLS session of one virtual host to circumvent client TLS certificate authentication on another host. The issue arises in configurations that support TLS session resumption using “tls sessions” or “cache TLS sessions” in default server settings, which involve client TLS certificate authentication. This vulnerability has been present since Nginx 1.11.4 was compiled with Openssl and TLSv1.3 protocol enabled.
Here are some non-security-related changes:
- Added optimizations to reduce CPU load when using TLS in configurations with numerous Server and Location blocks. The enhancements allow for the reuse of SSL context from the parent block instead of creating separate SSL contexts for each configuration block.
- Fixed issues related to extended loading times of configuration files resulting from re-analyzing the same set of TLS certificates, keys, and certificate authority lists. Configuration reloads are now faster due to the reuse of unchanged TLS objects like certificates, keys, and CRL. A directive, “object_cache_inheritable“, has been added to disable object inheritance during configuration updates.
- Introduced a cache for certificates and keys loaded using